The stolen data includes website usernames and passwords, but LastPass said this sensitive information is encrypted and cannot be easily accessed.
Password management platform LastPass has confirmed that cyberattackers stole data from customer vaults.
The company said the stolen data includes basic account information and related metadata including company names, user names, billing addresses, email addresses, telephone numbers and IP addresses.
LastPass did not specify how many customers may have been affected by the breach. Its password management software is used by more than 33m people and 100,000 businesses worldwide.
The company said an “unknown threat actor” accessed its cloud-based storage environment by using source code and technical information obtained from a cyberattack in August.
While no customer data was accessed during the August incident, LastPass said that stolen information was used to target an employee. This led to the threat actor obtaining “credentials and keys” to access the company’s cloud-based storage service.
“We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata,” said LastPass CEO Karim Toubba in a blogpost.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format, that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data.”
This data can only be unlocked with a customer’s master password. The company said the threat actor may attempt to use “brute force” to try guess the master password and decrypt this sensitive data.
“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” Toubba said.
“There is no evidence that any unencrypted credit card data was accessed,” he added. “LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.”
LastPass warned customers that data may be used for phishing attacks or credential stuffing, which is when stolen data is used to try log in to other unrelated services.
Users have been told that LastPass never calls, emails or texts customers to ask them to click on a link to verify personal information.
The company said it has notified law enforcement and regulatory authorities of the incident “out of an abundance of caution”. It has also added new security measures to help detect any unauthorised activity in future.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Discussion about this post